Unsupervised Learning

AIG says BEC has overtaken ransomware as the primary claim type against their cyber insurance policies in EMEA, accounting for 23% of claims. More Paper The NSA Cyber Chief wants to share digital threat information early and often. I like the fact that they're opening up a bit, and I think it's only good for everyone (except bad guys). The more they share the higher the bar is for attackers, and the less time they have to use certain TTPs. This is exactly the type of Government-Industry interaction that we need to be doing more of to stay ahead of China. More NYU did a report on how social media is likely to be used for misinformation campaigns in 2020. They say Instagram will be a much bigger player this time around, which makes sense given that images are the dominant meme carrier. Article Study

Ring has already partnered with over 400 police departments. As you know, I'm torn on this kind of tech. Neighborhood watch can be a good thing, and it can also be a bad thing. Technology tends to magnify both weaknesses and strengths, so it can make neighborhood watch really great, or it can turn it into a nightmare. The problem is that you can easily start on the positive side, build it all the way up, and then in a few legal, policy, and tech changes have it turn into the oppressive form. Some say this is a reason not to do any of this stuff, but I disagree. We know someone is going to do it, so I think the best thing that can be done is to build a benign version and hope it wins in the market. More People are drawing comparisons between China's social credit system (which is actually multiple systems) and the Silicon Valley's various apps that have internal rating systems. They're saying that these ratings will eventually be used to make decisions about things that matter. Sure, but this has existed throughout human history. Word of mouth, blacklists, etc.: these are all ways of extending the reach of good or bad reputation. I think whenever someone points out the downside of a technology, we should ask ourselves whether that dynamic exists already in the real world, and adjust our opinions accordingly. More The Pentagon is worried that China will beat the US in AI if we don't create a stronger link between the government and both academia and industry, which China is good at. We basically need to move faster from edge concepts to practical implementations, but it's damn hard to do this when we have all sorts of legal and ethical constraints that China doesn't have. Our caution and morality are a definite weakness in this case. More

Protestors in Hong Kong are physically attacking and destroying facial recognition cameras. More Palo Alto says 7 out of 10 new domain registrations (NDRs) are either malicious or not safe for work, and they encourage companies to block them. More Lt. Gen. Fogarty is fighting to change the name of Army Cyber Command to Army Information Warfare Command, and to give the group a much larger scope in its mission. More We continue to see attacks against open source supply chains, in packages like NPM, RubyGems, Webmin, and many others. It's about to become imperative for people to understand—and to be able to validate—the entire chain of trust that a given application sits upon before they use it. There have been many companies in this space in the past, but I expect to see them (and new players) get a lot more attention soon. More

The terms intelligence, information, and data are thrown around pretty loosely in most tech circles, and this inevitably leads to people confusing and/or conflating them. What follows is a simple explanation of how the related terms are different from each other, and how they work together.

There are some seriously nasty Windows RDP bugs out there. If you have RDP facing the internet, make sure you're patched. And try to get to VPN as soon as possible. More A huge survey of firmware security has found virtually no improvement over the last 15 years. People seem surprised by this, but it is exactly what I would have predicted based on my analysis here. Basically, for most people not in the industry, our current state is actually fine. More NYPD has over 82K peoples' DNA in a database, and the program has little visibility and oversight. More

Ring is developing two-way relationships with hundreds of police departments in the US. This allows Ring users to be alerted to crime in their area via 911 data, and police departments to pull video from participating Ring devices. This is the type of functionality that most people will see and think, “Wow, I'd love to have that!”, which is why it's going to be very successful. But it's also one tiny step away from something terrifying.

Marcus Hutchins got off with time-served, and people have feelings. The range basically goes from 'he did nothing wrong', to, 'he should rot in prison'. In my mind this outcome was close to perfect. Remember, he went through two years of hell since being brought up charges, he's still a convicted felon, and he also is largely banned from the US. I think it's good that he admitted guilt, faced consequences, and is being offered a chance to continue giving back to the community. More Attorney General Barr said recently that companies should put backdoors in their products that bypass encryption, or else the government will pass laws that require it. This is unspeakably stupid. Without even getting into the philosophy of whether the internet can host a private conversation (which requires a warrant to tap), we can just start with the fact that backdoors present a clear and present danger to security, right now, due to the weaknesses of those who create them. If the NSA can be hacked or somehow lose its sensitive tools and materials, there's no company this cannot happen to. Purposefully installing backdoors therefore equates (effectively) to giving such access to attackers. Unacceptable. More Equifax is offering people $125 dollars in reparations for them losing all your data. But to get it, you have to log in and give a bunch of data about yourself. It's hilarious. They made money offering credit protection after the breach, and now they're going to collect updated information on anyone who wants to collect $125. On Twitter I called this a sadder and more permanent form of giving plasma. More

Unpacking the evolution-granted bliss of prep schools and elite institutions, and why they resonate so much with us.

The difference between unfairness and bias in machine learning.

Lots of people in the security community went silly over the FaceApp application last week, basically saying that you shouldn't be using the application because they'll steal your face and then be able to impersonate you. Oh, and then it turned out to be a Russian company who put out the application, and that made it 100x worse. The problem here is the lack of Threat Model Thinking. When it comes to election security, propaganda discussions, etc., I am quite concerned about Putin's willingness and ability to harm our country's cohesion through memes and social media. But that does not extend to some random company stealing faces. Why? Because before you can get legitimately concerned about something, you have to be able to describe a threat scenario in which that thing becomes dangerous. As I talked about in this piece, pictures of your face are not the same as your face when it comes to biometric authentication. There's a reason companies need a specific device, combined with their custom algorithm, in order to enroll you in a facial identification system. They scan you in a very specific way and then store your data (which is just a representation, not your actual face) in a very specific way. Then they need to use that same exact system to scan you again, so they can compare the two representations to each other. That isn't happening with random apps that have pictures of you. And even if that were the case, they could just get your face off your social media, where those same people who are worried are more than happy to take selfies, put their pictures on profile pictures, and make sure as many people see them as possible. There are actual negative things that can be done with images (like making Deepfakes of you), and that will get easier over time, but the defense for that is to have zero pictures of you…anywhere. And once again you have to ask who would be doing that to you, and why. Bottom line: authentication systems take special effort to try to ensure that the input given is the same as the enrollment item, e.g., (face, fingerprint, etc.), so it will not be easy any time soon to go from a random picture to something that can full a face scanner or fingerprint reader at the airport. People reading this probably already know this, but spread the word: threat modeling is one of our best tools for removing emotion from risk management. A contractor named SyTech that does work with Russian FSB has been breached, resulting in the release of 7.5TB of data on the FSB's various projects. This is obviously embarrassing for SyTech and the FSB, but the leaked projects focused on de-anonymization, spying on Russian businesses, and the project to break Russia away from the Internet, which are all known and expected efforts. So there don't seem to be any big reveals as a result of the leak. More Someone discovered that a bunch of browser extensions were reading things they shouldn't be, and sending them out to places they shouldn't be. This is not surprising to me. Chrome extensions are like Android apps, which should tell you all you need to know about installing random ones that seem interesting. My policy on browser extensions is extremely strict for this reason. People need to understand how insane the entire idea of the modern web is. We're visiting URLs that are executing code on our machines. And not just code from that website, but code from thousands of other websites in an average browsing session. It's a garbage fire. And the only defense really is to question how much you trust your browser, your operating system, and the original site you're visiting. But even then you're still exposing yourself to significant and continuously-evolving risk when you run around clicking things online. And the worst possible thing you can do in this situation is install more functionality, which gives more parties, more access, to that giant stack of assumptions you're making just by using a web browser. The best possible stance is to have as few people possible with access to your particular dumpster. And that means installing as few highly-vetted add-ons as possible. More

Time Speeds Up When You’re Wasting It

Parts of Manhattan had a power outage Saturday night, which happened to be the anniversary of another power outage in 1977. The power company apologized but didn't explain what happened. The hacker in me thinks this could easily be a probing shot by a sophisticated attacker, or a fun prank by amateurs. But the overwhelming odds are on simple failure. Either way, this country needs to get a whole lot more resilient to small attacks, because enough small ones can quickly become a big one. More Zoom has had a bad week or two. Not only did it have a major vuln, but it turned out to be part of the design, and they moved relatively slowly in addressing it, and then companies started auto-uninstalling it from their OS. They had a lot of momentum going in the space, too. This will sting for sure. More Facebook will be fined $5 billion over its various privacy catastrophes. More Marriott is being fined $124 million over the Starwood breach. Real question: how does that compare to their coffee budget? More

The Telegraph has found strong links between Huawei employees and Chinese intelligence agencies. The Huawei counter was that this was extremely common among telecom companies, and that it wasn't a big deal. The counter to that counter was, basically, "Well, then why did you try to hide it?" /gg More The NPM security team caught a malicious package designed to steal cryptocurrency. A lot of these packages work by uploading something useful, waiting until it's used by lots of people, and then updating it to have the malicious payload. My buddy Andre Eleuterio did the IR on the situation there at NPM, and said they're constantly improving their ability to detect these kinds of attacks. Luckily NPM's security team had the talent and tooling to detect such a thing, but think of how many similar companies aren't so equipped. I think any team that's part of a supply chain should be thinking about this type of attack very seriously. More Federal agents are mining state DMV photos to feed their facial recognition systems, and they're doing it without proper authorizations or consent. To me this has always been inevitable because—as Benedict Evans pointed out—it's a natural extension of what humans already do. You already have wanted posters. You already have known suspects lists. And it's already ok for any citizen or any cop to see any person on that list and report them. In fact it's not just possible, it's encouraged. So the only thing happening here is that process is becoming a whole lot more aware (through more sensors), and therefore more effective. Of course, any broken algorithms that identify the wrong people, or automatically single out groups of people without actual matches, those issues need to be snuffed out for sure. But we can't expect society to not use superior machine alternatives to existing human processes, such as identifying suspects in public. That just isn't realistic. Our role as security people should be making sure these systems are as accurate as possible, with as little bias as possible, by the best possible people. In other words, we should spend our cycles improving reality, not trying to stop it from happening. More

The World is Collapsing Into Two Countries—Green and Red

I created a new tutorial on OWASP Amass, and just joined the team as a contributor as well. Tutorial Chinese hacking groups have been embedded deep inside multiple major US tech firms for many years, including Fujitsu, Tata, NTT, Dimension Data, and HPE. The first thing you should be thinking is where else they are today. More Amazon is getting heavier into the SIEM space (and perhaps others) with their new Amazon Security Hub offering. It takes in lots of event types from various AWS services, and surfaces what it thinks is most important. Of course, it doesn't do this for other product types, i.e., non-AWS stuff, but that could come eventually. More Amazon also launched a new service that lets you monitor your AWS VPC traffic. And lots of vendors are announcing their support for it. More